c2 Flashcards
Which configuration needs to be done to perform user entity behavior analysis with Prisma Public Cloud?
A. Create alert rules.
B. Whitelist IP addresses.
C. Configure User-ID.
D. Define enterprise settings.
D. Define enterprise settings.
Which two cloud providers support Load Balancers as next hop configurations for outbound connections? (Choose two.)
A. Google Cloud Platform
B. Microsoft Azure
C. Oracle Cloud
D. Amazon Web Services
A. Google Cloud Platform
D. Amazon Web Services
- find instances that are accessible over the internet using insecure ports.
- detect risky changes executed by a root user.
- view all s3 buckets that are open to the public via bucket policy.
match:
config where
event where
network where
- network where
- event where
- config where
Which RQL string returns a list of all Azure virtual machines that are not currently running?
A. config where api.name = ‘azure-vm-list’ AND json.rule = powerState = “off’
B. config where api.name = ‘azure-vm-list’ AND json.rule = powerState does not contain “running”
C. config where api.name = ‘azure-vm-list’ AND json.rule = powerState = “running”
D. config where api.name = ‘azure-vm-list’ AND json.rule = powerState contains “running”
B. config where api.name = ‘azure-vm-list’ AND json.rule = powerState does not contain “running”
Palo Alto Networks recommends which two options for outbound HA design in Amazon Web Services using VM-Series NGFW? (Choose two.)
A. iLB-as-next-hop
B. transit gateway and security VPC with VM-Series
C. traditional active/standby HA on VM-Series
D. transit VPC and security VPC with VM-Series
B. transit gateway and security VPC with VM-Series
C. traditional active/standby HA on VM-Series
Which three anomaly policies are predefined in Prisma Public Cloud? (Choose three.)
A. Excessive login failures
B. Unusual user activity
C. Denial-of-service activity
D. Account hijacking attempts
E. Suspicious file activity
A. Excessive login failures
B. Unusual user activity
D. Account hijacking attempts
An administrator deploys a VM-Series firewall into Amazon Web Services. Which attribute must be disabled on the data-plane elastic network interface for the instance to handle traffic that is not destined to its own IP address?
A. security group
B. tags
C. elastic ip address
D. source/destination checking
D. source/destination checking
Which Google Cloud Platform project shares its VPC networks with other projects?
A. Service project
B. Host project
C. Admin project
D. Subscribing project
B. Host project
An administrator has deployed an AWS transit gateway and used multiple VPC spokes to segregate a
multi-tier application. The administrator also created a security VPC with multiple VM-Series NGFWs
in an active/active deployment model via ECMP using Amazon Web Services VPN-based
attachments.
What must be configured on the firewall to avoid asymmetric routing?
A. source address translation
B. destination address translation
C. port address translation
D. source and destination address translation
A. source address translation
Which two items are required when a VM-100 BYOL instance is upgraded to a VM-300 BYOL
instance? (Choose two.)
A. UUID
B. new Auth Code
C. CPU ID
D. API Key
B. new Auth Code
D. API Key
can you create a custom compliance standard in Prisma Public Cloud?
A. Generate a new Compliance Report.
B. Create compliance framework in a spreadsheet then import into Prisma Public Cloud.
C. From Compliance tab, clone a default framework and customize.
D. From Compliance tab > Compliance Standards, click “Add New.”
D. From Compliance tab > Compliance Standards, click “Add New.”
Which three types of security checks can Prisma Public Cloud perform? (Choose three.)
A. compliance where
B. network where
C. user where
D. config where
E. event where
B. network where
D. config where
E. event where
Prisma Public Cloud enables compliance monitoring and reporting by mapping which configurations
to compliance standards?
A. RQL queries
B. alert rules
C. notification templates
D. policies
D. policies
What configuration on AWS is required in order for VM-Series to forward traffic between its network interfaces?
A. Both Source and Destination Checks are disabled
B. Both Source and Destination Checks are enabled
C. Source Check is disabled and Destination Check is enabled
D. Source Check is enabled and Destination Check is disabled
A. Both Source and Destination Checks are disabled
In which two ways does Palo Alto Networks VM orchestration help service providers automatically
provision security instances and policies? (Choose two.)
A. fully instrumented API
B. Aperture Orchestration Engine
C. VM Orchestration Policy Editor
D. support for Dynamic Address Groups
A. fully instrumented API
D. support for Dynamic Address Groups
Which change represents a VM-Series NGFW license transfer?
A. VM-100 BYOL on Microsoft Azure to VM-100 BYOL on Amazon Web Services
B. VM-300 BYOL on Microsoft Azure to VM-300 PAY6 on Amazon Web Services
C. VM-100 BYOL on Microsoft Azure to VM-300 BYOL on Microsoft Azure
D. VM-100 BYOL on Microsoft Azure to VM-300 PAYG on Amazon Web Services
C. VM-100 BYOL on Microsoft Azure to VM-300 BYOL on Microsoft Azure
The VM-Series integration with Amazon GuardDuty feeds malicious IP addresses to the VM-Series
NGFW using XML API to populate a Dynamic Address Group within a Security policy that blocks
traffic.
How does Amazon Web Services achieve this integration?
A. SNS
B. SQS
C. CodeDeploy
D. Lambda
D. Lambda
What are two examples of Amazon Web Services logging services? (Choose two.)
A. CloudLog
B. CloudEvent
C. CloudWatch
D. CIoudTrail
C. CloudWatch
D. CIoudTrail
What are two ways to initially deploy a VM-Series NGFW in Microsoft Azure? (Choose two.)
A. through ARM Templates in the GitHub Repository
B. through Solution Templates in the Azure Marketplace
C. through Expedition in the Customer Success Portal
D. through Iron Skillets in the GitHub Repository
A. through ARM Templates in the GitHub Repository
B. through Solution Templates in the Azure Marketplace
What is required for an EC2 instance to access the internet directly from an AWS VPC?
A. Internet Gateway
B. Transit Gateway
C. Virtual Private Gateway
D. Customer Gateway
A. Internet Gateway
What is a permanent public IP called on Amazon Web Services?
A. Reserved IP
B. PIP
C. EIP
D. Floating IP
C. EIP
What are the two options to dynamically register tags used by Dynamic Address Groups that are
referenced in policy? (Choose two.)
A. VM Monitoring
B. External Dynamic List
C. CFT Template
D. XML API
A. VM Monitoring
D. XML API
The Microsoft Azure virtual network gateway supports which two site-to-site connectivity options?
(Choose two.)
A. Direct Connect
B. Fast Connect
C. IPsecVPN
D. ExpressRoute
C. IPsecVPN
D. ExpressRoute
Which Prisma Public Cloud policy alerts administrators to unusual user activity?
A. Anomaly
B. Audit Event
C. Network
D. Configuration
A. Anomaly
Which RQL string monitors all traffic from the Internet and Suspicious IPs destined for your Amazon
Web Services databases’’
A. network where source.publicnetwork IN (‘Suspicious IPs’) and dest.resource IN (resource where
role IN (‘AWS RDS’, ‘Database’))
B. network where source.publicnetwork IN (‘Suspicious IPs’, ‘Internet IPs’) and dest.resource IN
(resource where role IN (‘LDAP’))
C. network where dest.resource IN (resource where role = ‘Database’}
D. network where source.publicnetwork IN (‘Suspicious IPs’, ‘Internet IPs’) and dest resource IN
(resource where role IN (‘AWS RDS’. ‘Database’))
D. network where source.publicnetwork IN (‘Suspicious IPs’, ‘Internet IPs’) and dest resource IN
(resource where role IN (‘AWS RDS’. ‘Database’))
Which two statements are true about CloudFormation? (Choose two.)
A. CloudFormation is a procedural configuration management tool.
B. CloudFormation templates can be used on both Amazon Web Services and Microsoft Azure
C. CloudFormation templates can be written in JSON or YAML
D. CloudFormation is a declarative orchestration tool.
C. CloudFormation templates can be written in JSON or YAML
D. CloudFormation is a declarative orchestration tool.
Amazon Web Services WAF can be enabled on which two resources?(Choose two.)
A. AWS CDN
B. AWS NAT Gateway
C. AWS ALB
D. AWS NLB
A. AWS CDN
C. AWS ALB
Which three methods can provide application-level security for a web server instance on Amazon
Web Services? (Choose three.)
A. Traps
B. Prisma SaaS
C. Amazon Web Services WAF
D. VM-Series firewalls
E. Security Groups
A. Traps
C. Amazon Web Services WAF
D. VM-Series firewalls
Which RQL string searches for all EBS volumes that do not have a “DataClassification” tag?
A. config where api.name = ‘aws-ec2-describe-volumes, AND json.rule = tags[]key contains DataClassification
B. config where api.name = ,aws-ec2-describe-volumes’ AND json.rule = tags[]key != DataClassification
C. config where api.name = ,aws-ec2-describe-volumes’ AND json.rule = tags[].key exists
D. config where api.name = ‘aws-ec2-describe-volumes’ AND json.rule = tags[].key = 1
B. config where api.name = ,aws-ec2-describe-volumes’ AND json.rule = tags[*]key != DataClassification
Which three services can Google Cloud Security Scanner assess? (Choose three.)
A. Google Kubernetes Engine
B. BigQuery
C. Compute Engine
D. App Engine
E. Google Virtual Private Cloud
A. Google Kubernetes Engine
C. Compute Engine
D. App Engine
DRAG DROP
A customer has deployed a VM-Series NGFW on Amazon Web Services using a PAYG license. What is
the sequence required by the customer to switch to a BYOL license?
Back up the existing configuration
Deploy a new VM-Series NGFW Instance using the BYOL license
Register the new VM-Series NGFW with Auth Code
Activate the license from the VM-Series NGFW
Load the backup configuration
backup
register
deploy
activate
load
DRAG DROP
Based on the diagram, prioritize the order in which the Virtual Gateway evaluates the best route
based on the deterministic B6P Path selection process.
Path origin
Longest preftx length
Lowest peer ID (IP address)
Lowest multi-exit discriminator
Shortest As Path length
longest
shortest
path
lowest multi
lowest peer
When protecting against attempts to exploit client-side and server-side vulnerabilities, what is the
Palo Alto Networks best practice when using NGFW Vulnerability Protection Profiles?
A. Use the default Vulnerability Protection Profile to protect clients from all known critical, high, and medium-severity threats
B. Clone the predefined Strict Profile, with packet capture settings disabled
C. Use the default Vulnerability Protection Profile to protect servers from all known critical, high, and medium-severity threats
D. Clone the predefined Strict Profile, with packet capture settings enabled
D. Clone the predefined Strict Profile, with packet capture settings enabled
Which framework in Prisma Public Cloud can be used to provide general best practices when no
specific legal requirements or regulatory standards need to be met?
A. HIPAA
B. CIS Benchmark
C. Payment Card Industry DSS V3
D. GDPR
B. CIS Benchmark
An Azure VNet has the IP network 10.0.0.0/16 with two subnets, 10.0.1.0/24 (used for web servers)
and 10.0.2.0/24 (used for database servers). Which is a valid IP address to manage the VM-Series
NGFW?
A. 10.0.1.254
B. 10.0.2.1
C. 10.0.3.255
D. 10.0.3.1
D. 10.0.3.1
What are two ways to enable interface swap when deploying a VM-Series NGFW in Google Cloud
Platform? (Choose two.)
A. run the PAN-OS CLI command: set system mgmt-interface-swap enable yes
B. run the PAN-OS CLI command: set system mgmt-interface-swap setting enable yes
C. create a bootstrap file that includes the mgmt-interface-swap command
D. in the Google Cloud Console Metadata Field, enter a key-value pair where mgmt-interface-swap is
the key and enable is the value
C. create a bootstrap file that includes the mgmt-interface-swap command
D. in the Google Cloud Console Metadata Field, enter a key-value pair where mgmt-interface-swap is
the key and enable is the value
How can you modify a range of dates default policy in Prisma Public Cloud?
A. Override the value and commit the configuration.
B. Clone the existing policy and change the value.
C. Manually create the RQL statement.
D. Click the Gear icon next to the policy name to open the Edit Policy dialog
B. Clone the existing policy and change the value.
What are three examples of outbound traffic flow? (Choose three.)
A. issue yum update command on an instance inside Amazon Web Services
B. Microsoft Windows inside Azure requesting a security patch
C. web server inside Amazon Web Services receiving web requests from internet
D. issue apt-get install command on an instance inside Amazon Web Services
E. outgoing Prisma Public Cloud API calls
A. issue yum update command on an instance inside Amazon Web Services
D. issue apt-get install command on an instance inside Amazon Web Services
E. outgoing Prisma Public Cloud API calls
What is the scope of the Amazon Web Services 1AM Service?
A. global
B. regional
C. VPC
D. zonal
A. global
What resource is required to receive inbound traffic from the internet to VM-Series NGFW deployed
as a gateway for Azure Stack workloads?
A. Public IP for the VM-Series NGFW
B. NAT appliance
C. Azure Stack Edge Router
D. Border Customer Network
B. NAT appliance
Which Amazon Web Services security service can provide host vulnerability information to Prisma
Public Cloud?
A. Shield
B. Inspector
C. GuardDuty
D. Amazon Web Services WAF
B. Inspector
How does a customer that has deployed a VM-Series NGFW on Microsoft Azure using a BYOL license
change to a PAYG license structure?
A. purchase a new PAYG license from a reseller
B. go to Palo Alto Networks Support website to change the BYOL license to a PAYG license
C. purchase a new PAYG license for Microsoft Azure from Palo Alto Networks
D. launch a new VM using the PAYG image
D. launch a new VM using the PAYG image
What is Prisma Public Cloud licensing based on?
A. number of alerts generated
B. number of accounts onboarded
C. number of monitored workloads
D. volume of flow logs consumed
C. number of monitored workloads
A client has a sensitive internet-facing application server in Microsoft Azure and is concerned about
resource exhaustion because of distributed denial-of-service attacks What can be configured on the
VM-Series firewall to specifically protect this server against this type of attack?
A. Custom threat signature
B. Zone Protection Profile
C. QoS Profile to limit incoming requests
D. DoS Protection Profile with specific session counts
D. DoS Protection Profile with specific session counts
The customer has an Amazon Web Services Elastic Computing Cloud that provides a service to the
internet directly and needs to secure that cloud with a VM-Series NGFW.
Which component handles address translation?
A. The server VMs have private use only (RFC 1918) IPs. Amazon’s cloud infrastructure translates
those addresses to publicly accessible IP addresses. The VM-Series NGFW has publicly accessible IP
addresses.
B. The server VMs have private use only (RFC 1918) IPs. The VM-Series NGFW translates those
addresses to publicly accessible IP addresses.
C. The server VMs and the VM-Series NGFW have private use only (RFC 1918) IPs. Amazons cloud
infrastructure translates those addresses to publicly accessible IP addresses
D. The servers and VM-Series NGFW have publicly accessible IP addresses for management
purposes.
C. The server VMs and the VM-Series NGFW have private use only (RFC 1918) IPs. Amazons cloud
infrastructure translates those addresses to publicly accessible IP addresses
Which RQL string using network query attributes returns all traffic destined for Internet or for
Suspicious IPs that also exceeds 1GB?
A. network where publicnetwork = (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 1000000000
B. network where dest.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 1000000000
C. show traffic where destination.network = (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 1000000000
D. network where bytes > 1GB and destination = ‘Internet IPs’ OR ‘Suspicious IPs’
B. network where dest publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 1000000000
Which cloud provider supports iLB-as-next-hop?
A. Microsoft Azure
B. Alibaba Cloud
C. Oracle Cloud
D. Amazon Web Services
A. Microsoft Azure
What is the default capacity license of a VM-Series NGFW being deployed from the Google Cloud
Platform Marketplace?
A. VM-GCP
B. VM-100
C. VM-500
D. VM-300
D. VM-300
Based on the diagram, how many routes will the virtual gateway advertise to the on-premises NGFW
over the Amazon Web Services Direct Connect link?
A. 4
B. 5
C. 3
D. 1
A. 4
DRAG DROP
Match the logging service with its cloud provider.
Service:
CloudWatch
Activity log
Stackdnver
Monitor
CloudTrail
Cloud Audit
Provider:
Azure
Google Cloud Platform
Amazon Web Services
AWS, Azure, GCP, Azure, AWS, GCP
Which option is true about VM-Series NGFW templates available from the Palo Alto Networks
GitHub repository?
A. Palo Alto Networks provides full support if a valid support license is in place.
B. Support for the templates is available through Professional Services from Palo Alto Networks.
C. Unless otherwise noted, these templates are released under an as-is. best effort support policy.
D. The author of the template provides full support as long as the PAN-OS version specific to the
template is supported.
C. Unless otherwise noted, these templates are released under an as-is. best effort support policy.
Which regulatory framework in Prisma Public Cloud measures compliance with EU data privacy
regulations in Amazon Web Services workloads?
A. GDPR
B. EU Data Protection Directive 95/46/EC
C. ISO 27001
D. Payment Card Industry 3.0
A. GDPR
A customer CSO has asked you to demonstrate how to identify all “Amazon RDS” resources deployed
and the region that they are deployed in. What are two ways that Prisma Public Cloud can show the
relevant information?(Choose two.)
A. Generate a compliance report from the Compliance dashboard
B. Write an RQL query from the “Investigate” tab.
C. Configure an Inventory report from the “Alerts” tab
D. Open the Asset dashboard, filter on Amazon Web Services, and click “Amazon RDS” resources
B. Write an RQL query from the “Investigate” tab.
D. Open the Asset dashboard, filter on Amazon Web Services, and click “Amazon RDS” resources
Which three requirements are needed to register a PAYG VM-Series NGFW at the Palo Alto Networks
Customer Support website? (Choose three.)
A. Serial Number
B. CPU ID
C. Auth Code
D. License Key
E. UUID
A. Serial Number
B. CPU ID
E. UUID
How can you use Prisma Public Cloud to identify Amazon EC2 instances that have been tagged as
“Private?
A. Create an RQL config query to identify resources with the tag “Private.”
B. Create an RQL network query to identify traffic from resources tagged “Private.”
C. Open the Asset Dashboard, filter on tags: and choose “Private.”
D. Generate a CIS compliance report and review the “Asset Summary.”
A. Create an RQL config query to identify resources with the tag “Private.”
Which three features are not supported by VM-Series NGFWs on Azure Stack? (Choose three.)
A. Azure Application Insight
B. Resource Group
C. Azure Security Center
D. Bootstrapping
E. ARM Template
A. Azure Application Insight
C. Azure Security Center
D. Bootstrapping
Which option is defined by the creation and change of public cloud services managed in a repeatable
and predictable fashion?
A. platform as a service
B. infrastructure as a service
C. software as code
D. infrastructure as code
D. infrastructure as code
When an on-premises NGFW (customer gateway) is used to connect to the Virtual Gateway, which
two IKE profiles cannot be used? (Choose two.)
A. Group2 / SHA-1 / AES-128-CBC / IKE-V1
B. Group2 / SHA-1 / AES-128-GCM / IKE-V1
C. Group14 / SHA-256 / AES-256-GCM / IKE-V1
D. Group2 / SHA-1 / AES-128-CBC
E. Group14 / SHA-256 / AES-256-CBC / IKE-V1
B. Group2 / SHA-1 / AES-128-GCM / IKE-V1
C. Group14 / SHA-256 / AES-256-GCM / IKE-V1
A customer has just launched a Palo Alto Networks VM-Series NGFW into an Amazon Web Services
VPC to protect a cloud hosted application. They are experiencing unpredictable results and have
identified that the interfaces on the firewall are in the incorrect order
Which PAN-OS CLI command resolves this issue?
A. set system setting mgmt-interface-swap enable yes
B. set mgmt-interface settings swap yes
C. set mgmt-interface swap yes
D. set system setting mgmt-interface swap yes
A. set system setting mgmt-interface-swap enable yes
How is license utilization displayed within the Prisma Public Cloud interface?
A. navigate to the CLI and run show license command
B. navigate to General > Licensing
C. navigate to Dashboard > Asset Inventory
D. navigate to Settings (via the gear icon) > Licensing
D. navigate to Settings (via the gear icon) > Licensing
How can all alerts related to “Amazon RDS” be quickly identified within the Prisma Cloud dashboard?
A. Generate a Center for Internet Security (CIS) compliance report and search for “Amazon RDS”
policy violations.
B. View the alert data on the “Asset Inventory” dashboard and filter on “Amazon RDS.
C. Within the “Alerts” tab. filter on “Amazon RDS” as a service.
D. Create a custom Resource Query Language (RQL) configuration report.
C. Within the “Alerts” tab. filter on “Amazon RDS” as a service.
What are two benefits of Cloud Security Posture Management (CSPM) over other solutions? (Choose
two.)
A. guaranteed proof of concept (POC) extensions beyond 30 days
B. native integration of network, endpoint, and cloud data to stop attacks
C. elimination of blind spots
D. proactive addressing of risks
C. elimination of blind spots
D. proactive addressing of risks
Which Resource Query Language (RQL) query searches for all Relational Database Service (RDS)
instances that have a public IP address?
A. config from cloud.resource where api.name = ‘aws-rds-describe-db-instances’ AND json.rule = storageEncrypted is false
B. event from cloud.audit_logs where api.name = ‘aws-rds-describe-db-instances’ AND json.rule = publiclyAccessible is true
C. config from cloud.resource where api.name = ‘aws-rds-describe-db-instances’ AND json.rule = publiclyAccessible is true
D. config from cloud.resource where api.name = ‘aws-ec2-describe instances’ AND json.rule = publiclyAccessible is true
C. config from cloud.resource where api.name = ‘aws-rds-describe-db-instances’ AND json.rule = publiclyAccessible is true
Which two template formats are supported by the Prisma Cloud infrastructure as code (laC) scan
service? (Choose two.)
A. ARM
B. XML
C. YAML
D. JSON
A. ARM
C. YAML
Which statement explains the correlation between the block and alert thresholds in a vulnerability
management policy?
A. The thresholds can be set to informational, low, medium, high, and critical.
B. The alert threshold always has precedence over, and can be greater than, the block threshold.
C. The block threshold must always be equal to or greater than the alert threshold.
D. The block threshold always has precedence over, and can be less than, the alert threshold.
C. The block threshold must always be equal to or greater than the alert threshold.
Which two data sources are ingested by Prisma Cloud? (Choose two.)
A. network flow logs
B. list of all database instances’ tables
C. metadata about compute resources’ configuration
D. Cortex Data Lake
A. network flow logs
C. metadata about compute resources’ configuration
Which pillar of the Prisma Cloud platform can secure outbound traffic, stop lateral attack movement,
and block inbound threats?
A. Cloud Workload Protection (CWP)
B. Cloud Code Security
C. Cloud Network Security
D. Cloud Identity Security
C. Cloud Network Security
Which statement applies to vulnerability management policies?
A. Host and serverless rules support blocking, whereas container rules do not.
B. Rules explain the necessary actions when vulnerabilities are found in the resources of a customer environment.
C. Policies for containers, hosts, and serverless functions are not separate.
D. Rules are evaluated in an undefined order.
B. Rules explain the necessary actions when vulnerabilities are found in the resources of a customer environment.
Which two templates are supported by Cloud Code Security scan service? (Choose two.)
A. Azure Resource Manager (ARM)
B. Hyper Text Markup Language (HTML)
C. GitHub
D. Terraform
A. Azure Resource Manager (ARM)
D. Terraform
What does Infrastructure as Code (laC) collect to enable automation?
A. modern representation formats that describe and deploy infrastructure
B. orchestrated workflows to enable cross-functional teams to deploy infrastructure
C. images to easily replicate and manage infrastructure
D. infrastructure monitoring tool sets
A. modern representation formats that describe and deploy infrastructure
Which two cloud-native providers are supported by Prisma Cloud? (Choose two.)
A. DigitalOcean
B. Azure
C. IBM Cloud
D. Oracle Cloud
B. Azure
D. Oracle Cloud
Which subcommand invokes the scan for images built with Jenkins in an OpenShift environment?
A. > twistcli project scan
B. > twistcli scar, projects
C. > twistcli hosts scan
D. > twistcli scar, hosts
A. > twistcli project scan
Which filter type is valid in Asset Explorer?
A. resource name
B. instance
C. cloud region
D. feature
A. resource name
Which statement is specific for Prisma Cloud when integrating into cloud environments?
A. An AutoFocus license is included in Prisma Cloud.
B. For multi-cloud environment licenses are required for the number of Prisma Cloud instances.
C. Can be natively integrated into Prisma Access.
D. No agents or proxies are required.
D. No agents or proxies are required.
Which two types of Resource Query Language (RQL) queries can be used to create policies? (Choose two)
A. config from
B. network from
C. system from
D. event from
A. config from
B. network from
Which type of alert captures unusual user activity and excessive login failures?
A. Anomaly
B. Audit Event
C. Configuration
D. Network
A. Anomaly
What happens in Prisma Cloud after Training Model Threshold or Alert Disposition is changed?
A. Changes will take effect after a new learning phase of 30 days.
B. System will perform a reboot, deleting all past alerts.
C. Existing alerts and new alerts are regenerated based on the new setting.
D. New alerts are generated based on the new setting.
C. Existing alerts and new alerts are regenerated based on the new setting.
How does Prisma Cloud Enterprise autoremediate unwanted violations to public cloud
infrastructure?
A. It inspects the application program interface (API) call made to public cloud and blocks the change
if a policy violation is found.
B. It makes changes after a policy violation has been identified in monitoring.
C. It locks all changes to public cloud infrastructure and stops any configuration changes without
prior approval.
D. It uses machine learning (ML) to identify unusual changes to infrastructure.
B. It makes changes after a policy violation has been identified in monitoring.
How can a range of dates in the Prisma Cloud default policy be modified?
A. Clone the existing policy and change the value.
B. Click the gear icon next to the policy name to open the “Edit Policy” dialog.
C. Manually create the Resource Query Language (RQL) statement.
D. Override the value and commit the configuration.
A. Clone the existing policy and change the value.
What are the asset severity levels within Prisma Cloud asset inventory?
A. Low, Medium, and High
B. Low, Medium, High, and Critical
C. Informational, Low, Medium, and High
D. Low, Medium, High, Severe, and Critical
B. Low, Medium, High, and Critical
Prevention against which type of attack is configurable in Web-Application and API Security (WAAS)?
A. credential stuffing
B. cross-site scripting (XSS)
C. shoulder surfing
D. distributed denial of service (DDoS)
B. cross-site scripting (XSS)
Where can rules be configured and viewed to configure trusted images?
A. Monitor > Compliance > Trusted Images
B. Monitor > Compliance > Images
C. Defend > Compliance > Trusted Images
D. Defend > Compliance > Images
C. Defend > Compliance > Trusted Images
What occurs with the command twistcli when scanning images?
A. If options are listed after the image name; they will be ignored.
B. If option “–user” is used, it is mandatory to use option “ –password.
C. If option “–address” is unspecified, all images are scanned.
D. Option “–output-file” cannot be used in conjunction with option “–details.”
B. If option “–user” is used, it is mandatory to use option “ –password.
Which statement applies to optimization of registry scans with version pattern matching?
A. It requires Linux images to rely on optimizing registry scans due to various Linux elements.
B. It is only necessary in registries with tens of thousands of repositories and millions of images.
C. It is best practice to always optimize registry scans for faster results.
D. It is rarely successful in the Windows Operating System (OS).
C. It is best practice to always optimize registry scans for faster results.
Which two resource types are included in the Prisma Cloud Enterprise licensing count? (Choose two.)
A. Elastic Compute Cloud (EC2) instances
B. Network Address Translation (NAT) gateways
C. CloudFront distributions
D. Security groups
A. Elastic Compute Cloud (EC2) instances
C. CloudFront distributions
Which statement reflects the default vulnerability management policy?
A. Policy rule order has little impact on optimization.
B. Prisma Cloud scans images in all containers immediately upon policy activation.
C. The default vulnerability policy rule has an alert threshold to critical.
D. Prisma Cloud ships all vulnerability policy with a default alert for containers, hosts, and serverless functions.
D. Prisma Cloud ships all vulnerability policy with a default alert for containers, hosts, and serverless functions.
Which two cloud providers provide egress load balancing? (Choose two.)
A. Microsoft Azure
B. Alibaba Cloud
C. Amazon Web Services
D. Oracle Cloud
A. Microsoft Azure
C. Amazon Web Services
What are two valid image identifiers to designate trust? (Choose two.)
A. repo
B. trusted publisher
C. registry
D. base layer
B. trusted publisher
C. registry
Which two deployment methods are supported for Prisma Cloud Compute (PCC) container
Defenders? (Choose two.)
A. Azure SQL database instances
B. Google Kubernetes Engine
C. Oracle Functions service
D. Kubernetes DaemonSet
B. Google Kubernetes Engine
D. Kubernetes DaemonSet
What is the Palo Alto Networks default Prisma Cloud setting for Alert Disposition to reduce the
number of false positives?
A. Conservative
B. Moderate
C. High
D. Aggressive
A. Conservative
The following error is received when performing a manual twistcli scan on an image: sudo ./twistcli images scan -u bca208cf-26fa-43c6-ac6S-edbl840f8a5S -p 69s+DUqceuxndIF52mo4JDHlpLA -proxy:1.0
What is missing from the command?
A. registry path for image name
B. password
C. console address
D. username
C. console address
Which two valid effects are used to deal with images within a rule for trusted images? (Choose two.)
A. Deny
B. Alert
C. Block
D. Ignore
B. Alert
C. Block
Which RQL query should be used to quickly identify any events related to an organization’s Google
Cloud Platform Big Query database the last 24 hours?
Explanation:
A.event from cloud.audit_logs where cloud.type = ‘gcp’ AND cloud.service = ‘Google Bigtable Instance’
B.event from cloud.audit_logs where cloud.type = ‘gcp’ AND cloud.service = ‘cloudsql.googleapis.com’
C.event from cloud.audit_logs where cloud.type = ‘gcp’ AND cloud.service = ‘bigquery.googleapis.com’
D.event from cloud.audit_logs where cloud.type = ‘gcp’ AND cloud.service = ‘dataproc.googleapis.com’
C.event from cloud.audit_logs where cloud.type = ‘gcp’ AND cloud.service = ‘bigquery.googleapis.com’
Which pillar of the Prisma Cloud platform allows cloud entitlements to be quickly audited and
A. Cloud Security Posture Management
B. Cloud Identity Security
C. Cloud Network Security
D. Cloud Code Security
A. Cloud Security Posture Management
Which type of Resource Query Language (RQL) query is used to create a custom policy that looks for
untagged resources?
A. config
B. alert
C. event
D. data
A. config
What are two business values of Cloud Code Security? (Choose two.)
A. consistent controls from build time to runtime
B. prebuilt and customizable polices to detect data such as personally identifiable information (PII) in
publicly exposed objects
C. support for multiple languages, runtimes and frameworks
D. continuous monitoring of all could resources for vulnerabilities, misconfigurations, and other threats
A. consistent controls from build time to runtime
D. continuous monitoring of all could resources for vulnerabilities, misconfigurations, and other threats
Which Resource Query Language (RQL) query returns a list of all TERMINATED Google Compute
Engine (GCE) instances?
A. Config from.cloud.resource where api.name = „gcloud-compute-instance-list” and json.rule = status == TERMINATED
B. Config from.cloud.resource where api.name = „gcloud-compute-instance-list” and json.rule = TERMINATED
C. Config from.cloud.resource where api.name = „gcloud-compute-instance-list” and json.rule = status contains TERMINATED
D. Config from.cloud.resource where api.name = „gcloud-compute-instance-list” and json.rule = is TERMINATED
C. Config from.cloud.resource where api.name = „gcloud-compute-instance-list” and json.rule = status contains TERMINATED
Which Resource Query Language (RQL) query monitors all “delete” activities for the user “user1”?
A. event where crud = ‘delete’ AND subject = ‘user1’
B. event where crud = ‘delete’
C. event where crud = ‘delete’ AND subject = ‘user1’ AND cloud.type = ‘aws’
D. event where subject = ‘user1’
A. event where crud = ‘delete’ AND subject = ‘user1’
Which Amazon Web Services (AWS) service supplies information for Prisma Cloud “event where”
Resource Query Language (RQL) queries?
A. GuardDuty
B. CloudTrail Audit Logs
C. Activity Logs
D. Inspector
B. CloudTrail Audit Logs
What subcommand invokes the Prisma Cloud Compute (PCC) edition image scanner?
A. > twistcli images scan
B. > twistcli project scan
C. > twistcli scan projects
D. > twistcli scan images
A. > twistcli images scan
Which pillar of the Prisma Cloud platform provides support for both public and private clouds as well
as flexible agentless scanning and agent-based protection?
A. Cloud Network Security
B. Cloud Security Posture Management
C. Cloud Identity Security
D. Cloud Workload Protection (CWP)
D. Cloud Workload Protection (CWP)
Under which operating systems (OSs) is twistcli supported?
A. Linux, macOS, and Windows
B. Windows only
C. Linux and Windows
D. Linux, macOS, PAN-OS, and Windows
A. Linux, macOS, and Windows
Which two resources provide operational insight within the Prisma Cloud Asset Inventory? (Choose
two.)
A. Cortex Data Lake
B. Cloud Storage buckets
C. Prisma Access Gateways
D. Compute Engine instance
A. Cortex Data Lake
B. Cloud Storage buckets
Which two actions are appropriate when configuring Prisma Cloud to scan a registry? (Choose two.)
A. Allow Prisma Cloud to automatically optimize registry scans with version pattern matching.
B. Allow Prisma Cloud to automatically distribute the scan job across a pool of available Defenders.
C. Explicitly specify the Defender to do the job.
D. Explicitly specify the predefined version pattern-matching algorithm.
A. Allow Prisma Cloud to automatically optimize registry scans with version pattern matching.
B. Allow Prisma Cloud to automatically distribute the scan job across a pool of available Defenders.
An image containing medium vulnerabilities that do not have available fixes is being deployed into
the sock-shop namespace. Prisma Cloud has been configured for vulnerability management within
the organization’s continuous integration (CI) tool and registry.
What will occur during the attempt to deploy this image from the CI tool into the sock-shop
namespace?
A. The image will pass the CI policy, but will be blocked by the deployed policy; therefore, it will not be deployed.
B. The CI policy will fail the build; therefore, the image will not be deployed.
C. The image will be deployed successfully, and all vulnerabilities will be reported.
D. The image will be deployed successfully, but no vulnerabilities will be reported.
C. The image will be deployed successfully, and all vulnerabilities will be reported.
Which type of Prisma Cloud Enterprise alert supports autoremediation?
A. network
B. audit
C. anomaly
D. config
D. config
What is the Palo Alto Networks recommended setting for the Prisma Cloud Training Model
Threshold?
A. Low
B. Thorough
C. High
D. Baseline
C. High
Which Resource Query Language (RQL) query returns a list of all Azure SQL Databases that have transparent data encryption turned on?
A. config from cloud.resource where api.name = ‘azure-sql-db-list’ and json.rule = transparentDataEncryption is false
B. config from cloud.resource where api.name = ‘azure-sql-db-list’ and json.rule = transparentDataEncryption is true
C. config from cloud.resource where api.name = ‘azure-sql-db-list’ and json.rule transparentDataEncryption is on
D. config from cloud.resource where api.name = ‘azure-sql-db-list’ and json.rule = transparentDataEncryption = true
B. config from cloud.resource where api.name = ‘azure-sql-db-list’ and json.rule = transparentDataEncryption is true
Which pattern syntax will add all images to a trusted images rule within a registry?
A.
.acme.com
B.
acme/
C.
acme.com/myrepo/allimages:/*
D.
registry.acme.com/*
D.
registry.acme.com/*
A Prisma Cloud Administrator has been asked to create a custom policy which notifies the InfoSec
team each time a configuration change is made to a Security group.
Which type of Resource Query Language (RQL) query would be used in this policy?
A. audit from
B. network from
C. event from
D. config from
C. event from
All Amazon Regional Database Service (RDS)-deployed resources and the regions in which they are
deployed can be identified by prisma Cloud using which two methods? (Choose two.)
A. Configure an Inventory report from the “Alerts” tab.
B. Write an RQL query from the “Investigate” tab.
C. Open the Asset dashboard, filter on Amazon Web Services, and click “Amazon RDS” resources.
D. Generate a compliance report from the Compliance dashboard.
B. Write an RQL query from the “Investigate” tab.
C. Open the Asset dashboard, filter on Amazon Web Services, and click “Amazon RDS” resources.
Which regulatory framework in Prisma Cloud measures compliance with European Union (EU) data
privacy regulations in Amazon Web services (AWS) workloads?
A. General Data Protection Regulation (GDPR)
B. International Organization for Standardization (ISO) 27001
C. Payment Card Industry (PCI) Data Security Standard (DSS) 3.0
D.EU Data Protection Directive 95/46/EC
A. General Data Protection Regulation (GDPR)
Which two elements does Prisma Cloud monitor when analyzing for unusual user activity? (Choose two)
A. Operating System (OS)
B. browser
C. location
D. time
C. location
D. time
What does Prisma Cloud execute to change public cloud infrastructure when autoremediation is
enabled?
A. local scripts to public cloud APIs
B. remote function calls to host agents
C. third-party integration tools
D. public cloud CLI commands
A. local scripts to public cloud APIs
In which two ways can Prisma Cloud Compute (PCC) edition be installed? (Choose two.)
A. self-managed in a customer’s own container platform
B. self-contained hardware appliance
C. as a stand-alone Windows application
D. Cloud-hosted as part of a Prisma Cloud Enterprise tenant from Palo Alto Networks
A. self-managed in a customer’s own container platform
D. Cloud-hosted as part of a Prisma Cloud Enterprise tenant from Palo Alto Networks
